kemonine
/
lollipopcloud
Archived
1
0
Fork 0

Merge branch 'yubikey-notes' of kemonine/docs into master

This commit is contained in:
KemoNine 2019-02-18 20:28:53 +00:00 committed by Gitea
commit a2890824aa
1 changed files with 181 additions and 0 deletions

181
advanced/yubikey_notes.md Normal file
View File

@ -0,0 +1,181 @@
# Yubikey 4 Setup
This guide assumes you have an existing GPG key generated and saved as an asc file. There are ways to have the Yubikey 4 generate the GPG private key but for our needs we generate the GPG keys ahead of Yubikey setup using tails and keep the secret key material on encrypted disks as much as possible.
# Reset The Yubikey
## Reset Main Slot Configuration
Download the [Personalization Tools](https://www.yubico.com/products/services-software/download/yubikey-personalization-tools/) and delete the configuration for ALL of the Yubikey's slots.
``` bash
sudo apt install yubikey-personalization-gui
```
## Reset GPG Configuration
``` bash
gpg-connect-agent
/hex
scd serialno
scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
scd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40
scd apdu 00 e6 00 00
scd apdu 00 44 00 00
/echo Card has been successfully reset.
/bye
# Unplug / plug back in to ensure fully reset
gpg --card-status # Should show blank card
```
# Basic Slot Setup
Download the [Personalization Tools](https://www.yubico.com/products/services-software/download/yubikey-personalization-tools/) and setup the Yubikey OTP 2FA in Slot 1. Leave Slot 2 non-configured. You may need/want to set this up later but it's outside the scope of this document.
``` bash
sudo apt install yubikey-personalization-gui
```
# GPG Setup
Make sure you have ```gpg2``` and ```scdaemon``` installed before doing anything further.
## Setup Yubikey For GPG
- [https://developers.yubico.com/PGP/Card_edit.html](https://developers.yubico.com/PGP/Card_edit.html)
``` bash
gpg --card-status # Shouldn't show anything useful
gpg --card-edit
admin
passwd
1
123456
3
12345678
q
name
lang
en
url
https://lollipopcloud.solutions/gpg/lc_keys/kemonine.pub
login
kemonine
quit
gpg --card-status
```
## Import GPG Keys
Remember: we pre-generate GPG keys for people. They need to be imported before setting up the Yubikey.
- [https://developers.yubico.com/PGP/Importing_keys.html](https://developers.yubico.com/PGP/Importing_keys.html)
``` bash
gpg --import kemonine.asc
gpg --list-keys --keyid-format LONG
gpg --edit-key 2DCE25A15B872D5BF592BA009D79FBF661EC6779
trust
5
y
save
gpg --card-status
gpg --expert --edit-key 2DCE25A15B872D5BF592BA009D79FBF661EC6779
toggle
keytocard
y
1
keytocard
y
3
key 1
keytocard
2
key 1
key 2
keytocard
quit
y
gpg --card-status
gpg --list-secret-keys
# Unplug Yubikey
gpg --list-secret-keys
```
# Setup Git GPG Signing
- [https://kemonine.info/post/2017/12/signed-git-commits/](https://kemonine.info/post/2017/12/signed-git-commits/)
``` bash
gpg --list-secret-keys --keyid-format LONG
# Look for something like: rsa4096/9D79FBF661EC6779 the part after the / is the key id to use with git
# cd to git project
git config commit.gpgsign true
git config user.signingkey [Your Key ID]
# Add key to gitea / gitlab -- the contents of kemonine.pub are what you put into the gitea instance
````
# SSH Auth with GPG Key
- [https://developers.yubico.com/PGP/SSH_authentication/](https://developers.yubico.com/PGP/SSH_authentication/)
- [https://kemonine.info/post/2017/12/gpg---ssh-auth/](https://kemonine.info/post/2017/12/gpg---ssh-auth/)
- [https://developers.yubico.com/PGP/SSH_authentication/](https://developers.yubico.com/PGP/SSH_authentication/)
- [https://github.com/dainnilsson/scripts/blob/master/base-install/gpg.sh](https://github.com/dainnilsson/scripts/blob/master/base-install/gpg.sh)
- [https://github.com/dainnilsson/scripts/blob/master/base-install/gpg.sh](https://github.com/dainnilsson/scripts/blob/master/base-install/gpg.sh)
- [https://mlohr.com/gpg-agent-ssh-gnome/](https://mlohr.com/gpg-agent-ssh-gnome/)
``` bash
apt install pinentry-curses
```
``` bash
ubuntu@ubuntu ~ $ cat ~/.gnupg/gpg-agent.conf
enable-ssh-support
pinentry-program /usr/bin/pinentry-curses
default-cache-ttl 60
max-cache-ttl 120
```
``` bash
ubuntu@ubuntu ~ $ cat ~/.gnupg/gpg.conf
personal-digest-preferences SHA256
cert-digest-algo SHA512
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed
```
``` bash
ubuntu@ubuntu ~ $ cat .bashrc # append this to the bottom
export GPG_TTY="$(tty)"
export SSH_AUTH_SOCK="/run/user/$UID/gnupg/S.gpg-agent.ssh"
gpg-connect-agent updatestartuptty /bye
```